=========================================================== == Subject: pam_winbind login without require_membership_of restrictions == == CVE ID#: CVE-2012-6150 == == Versions: Samba 3.3.10, 3.4.3, 3.5.0 and later == == Summary: Login of authenticated users is not restricted by the == pam_winbind require_membership_of parameter if it only == specifies invalid group names. == =========================================================== =========== Description =========== Winbind allows for the further restriction of authenticated PAM logins using the require_membership_of parameter. System administrators may specify a list of SIDs or groups for which an authenticated user must be a member of. If an authenticated user does not belong to any of the entries, then login should fail. Invalid group name entries are ignored. Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from authenticated users if the require_membership_of parameter specifies only invalid group names. This is a vulnerability with low impact. All require_membership_of group names must be invalid for this bug to be encountered. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba versions 3.6.22, 4.0.13, and 4.1.3 have been released to address this issue. ========== Workaround ========== Ensure that the require_membership_of parameter only refers to SIDs or valid Active Directory group names. ======= Credits ======= This problem was found by Noel Power from SUSE who also provided the patch to fix the issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================